tag:www.schneier.com,2015:/blog//2/tag:www.schneier.com,2006:/blog//2.836-2015-02-17T07:10:11ZComments for Identity-Theft Disclosure LawsA blog covering security and security technology.Movable Typetag:www.schneier.com,2006:/blog//2.836-comment:162631Comment from Kim on 2007-04-12Kim
We should sue the Federal Goverment and make them accountable for the fact that they FORCE us have this SS #. This number can never be changed. This number can and does hold us accountable for actions taken that require this number. There is no current means to definatively prove that we are who we are. Solutions could be easily implemented. Finger and Foot prints SHOULD BE required upon Application for a Social Security Card. Finger Print required on all transactions and or Application for credit using this number. So Simple yet our goverment would rather give our indenties benefits to illegals who then collect the benefits we worked hard to earn. Peoples Character, opprotunities, and finances have impacted and due to the governments lack of responsibiilty to its citizens we suffer irrepairable damages. Some people have actually been arrested for identity theft. What has to happen before US Citizens get a back bone.]]>
2007-04-13T03:14:56Z2007-04-13T03:14:56Ztag:www.schneier.com,2006:/blog//2.836-comment:58598Comment from ott on 2006-05-17ott
"What we really need are laws prohibiting credit card companies and other financial institutions from granting credit to someone using your name with only a minimum of authentication."

As pointed out by several people in this thread, we don't need laws preventing companies from making stupid decisions. We need a way for ordinary people to assert their rights when the company tries to get the innocent party to pay for the consequences of that stupidity. Clearly a company that made a trust decision based on inadequate information is liable, but first one needs to convince the company's legal department of this -- and things degenerate into a game of chicken, to see who will give in first. It is clearly in the company's economic interest to play this game for a while, since it results in better profits than improving security. So stupid decisions may not be so stupid after all when there is a legal department on standby.

My personal preference would be better court procedure, where the party who files a malicious suit is automatically liable for costs.

]]>
2006-05-17T14:07:20Z2006-05-17T14:07:20Ztag:www.schneier.com,2006:/blog//2.836-comment:58201Comment from Blockhead on 2006-05-15Blockhead
"...a poor federal law is better than none."

I like your comments, but I sure hope we don't have to wait for federal action. I'd rather see a simple "carrot and stick" approach. The stick, if you will, wielded by the first gutsy, greedy mega-law firm persuasive enough to push a class-action suit against a major credit card company or retailer on a theory of negligence for fraudulent credit card transactions that result in damage to consumer credit ratings. Stronger identification, though not full- (or fool) proof, is easily within reach of today's technology, so failure to take action shows a lack of due care on the part of lenders and merchants in the credit card chain. I think a talented team of hungry lawyers could convince a jury that the Visa's and MC's just don't care about the damage they are allowing to happen.

The carrot, the business opportunity, will come to the credit card company that offers n-factor identification (fingerprints, SecureId pins, etc) for a small fee, and perhaps even develops a business model that offers lower rates to consumers who want stronger anti-fraud features.

The lenders simply pass on the cost of card fraud to borrowers. Perhaps the rising interest rates anticipated because of the inflation caused by oil prices will provide some incentive to cut lending costs and continue to be competitive.

You don't say how she lost it, it could have been due to not being able to pay legal fees or other debt incured with trying to assert her rights. Or to some peculiarity of the law or something even more bizzar.

]]>
2006-04-24T14:31:28Z2006-04-24T14:31:28Ztag:www.schneier.com,2006:/blog//2.836-comment:54885Comment from Chuck Emery on 2006-04-24Chuck Emery
I recently heard of an elderly woman in southern Ontario, Canada, who lost her home because someone else had mortgaged it and defaulted on payments. It boggles my mind how a fraudulently acquired mortgage can legally have any effect on her ownership. It looks to me like someone, everyone admits it wasn't her, defrauded a bank - why should that affect her at all?]]>
2006-04-24T14:05:48Z2006-04-24T14:05:48Ztag:www.schneier.com,2006:/blog//2.836-comment:54540Comment from jon on 2006-04-21jon
Some people still just don't "get" identity theft, because they have a very limited view of which documents can put you at risk. Recently I interviewed for a new job, and I was asked to submit, in addition to my resume, a multi-page application form containing enough information to do a background check. Well, sure enough, the HR department of the company in question claimed they had "lost" the form, and emailed me to ask me to submit it again. After dickering back and forth for a while, and guessing that they were just making me do this because it was easier than them doing a proper search, I finally sent them an email saying more or less: "The problem isn't doing the form again. It's that there will now be the previous copy of all my personal information, SSN, ten year job history, school history, address history, etc, floating around where someone may casually pick it up. Think identity theft.".

Within literally five minutes of hitting the "send" button on the email, I got an apologetic phone call to say "Sorry, don't send another copy of the form. We found the original one after all".

]]>
2006-04-21T21:55:29Z2006-04-21T21:55:29Ztag:www.schneier.com,2006:/blog//2.836-comment:54517Comment from Tman on 2006-04-21Tmanhttp://www.tmancensored.blogspot.com
"can be as simple as giving three basic options like open(same as now), confirm (with phone number specified, as can be done now with a fraud statement), or only allow opening accounts in person with appropriate identification."

Many states already have what's known as a "credit freeze" system in place with the bureaus that each individual can acitvate. So when creditors go to check your credit file for credit worthiness, they will see that your file is "frozen" and can only be unlocked by the individual. The bureaus give you a PIN number where you can unlock your file by calling (I believe it lasts for around three days).

The bureaus fought tooth and nail over this because it becomes an added cost for them to maintain. They also fought tooth and nail over credit alerts until they found out they could make money by offering people side products to go along with it.

The problem is that just because the creditors see this doesn't mean they pay attention to it. The car salesman may sell the car to the person anyways if he badly needs to make the sale.

The only real chance to cut down on these circumstances is to punish the companies that allow the ID theft to happen in the first place, and as Bruce says, they have better lobbyists than we do so good luck with that.

]]>
2006-04-21T19:33:30Z2006-04-21T19:33:30Ztag:www.schneier.com,2006:/blog//2.836-comment:54451Comment from alabamatoy on 2006-04-21alabamatoy
"a poor federal law is better than none "

That certainly is NOT what the original framers of the constitution intended......the federal government is to have ONLY those powers specifically ascribed in the Constitution, otherwise its to be the jurisdiction of the states. We have abandoned that on many fronts.

]]>
2006-04-21T12:38:51Z2006-04-21T12:38:51Ztag:www.schneier.com,2006:/blog//2.836-comment:54411Comment from Curt Sampson on 2006-04-20Curt Sampsonhttp://mailto:cjs@cynic.net
I think credit bureaus should be held responsible for information they hold and distribute in the same way that credit card companies should bear the burden of their bad lending decisions. If a credit card company says that I signed up for a card and didn't pay for purchases on it, they should bear the burden of proving that I signed up for it. If they report to a credit bureau that I signed up and didn't pay, and that's not actually the case, that's libel. If the credit bureau repeats that false statement, that's libel as well. Civil prosecution should be able to take care of these.

As far as credit being more difficult to get in such a world, it would probably become more difficult to get at the current rates. However, it seems likely to me that some companies would chose to keep their current rate structure and do more verification of customers, and others would change their rate structure to be able to handle higher losses and then make it easier to get credit. In fact, companies are already doing this; there are special high-interest-rate cards for people with poor or little credit history.

]]>
2006-04-21T01:37:37Z2006-04-21T01:37:37Ztag:www.schneier.com,2006:/blog//2.836-comment:54375Comment from antibozo on 2006-04-20antibozo
Bruce> This is the agenda they brought to the federal bill, cleverly titled the Data Accountability and Trust Act, or DATA.

If they were really being clever, they would have called it DATA Accountability and Trust Act, in true RMS fashion. :^)

]]>
2006-04-20T21:20:02Z2006-04-20T21:20:02Ztag:www.schneier.com,2006:/blog//2.836-comment:54364Comment from Chris Walsh on 2006-04-20Chris Walsh
Been doing some reading of the various state breach laws. I came across a rather, uhmmm, inclusive definition from the great state of Nevada:

" NRS 205.4742 “Encryption��? defined. “Encryption��? means the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to:

2. Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or

3. Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.

"

Yep. "Any protective measure".

]]>
2006-04-20T20:31:08Z2006-04-20T20:31:08Ztag:www.schneier.com,2006:/blog//2.836-comment:54357Comment from Pat Cahalan on 2006-04-20Pat Cahalan
I agree with Mike Sherwood, with one caveat:

The default for #1 on your credit bureau report should be "closed" -> only allow new accounts in person with identification. If you want to change your status to "verify" or "open", there should be an interface with the credit bureau to change your status.

Since credit companies *want* people to open new accounts, they'll underwrite the cost of this (preventing DMV-like queues). However, since most consumers actually probably would benefit from the additional security, having "default deny" enabled is a good thing.

One final benefit -> given the fact that many people (particularly young people) have damaged their credit rating by getting addicted to easy credit, adding a delay point might cut down on the general American debt load.

]]>
2006-04-20T19:59:52Z2006-04-20T19:59:52Ztag:www.schneier.com,2006:/blog//2.836-comment:54348Comment from kerberos_boy on 2006-04-20kerberos_boy
This reminds me of the fiasco a few months back with the Bankruptcy law. The lobbyists for the credit card companies essentially bribed congress with $70 million in Pork Barrel and Campaign contributions and got a law passed which hold consumers hostage]]>
2006-04-20T19:11:04Z2006-04-20T19:11:04Ztag:www.schneier.com,2006:/blog//2.836-comment:54341Comment from Lee M. Cardholder on 2006-04-20Lee M. Cardholder
I welcome more legislation to disclosing personal data "loss".

Frankly, I'm sick and tired of financial institutions playing fast and loose with my personal information.

]]>
2006-04-20T18:41:29Z2006-04-20T18:41:29Ztag:www.schneier.com,2006:/blog//2.836-comment:54336Comment from ContextIsEverything on 2006-04-20ContextIsEverything
"a poor federal law is better than none"

That's a dangerous phrase - I'm glad you immediately qualified it.

]]>
2006-04-20T18:25:18Z2006-04-20T18:25:18Ztag:www.schneier.com,2006:/blog//2.836-comment:54335Comment from idtheft on 2006-04-20idtheft
@Bruce
Another great article!

@Mike Sherwood
Some very insightful comments. I agree with your elaboration on the delinquency of the banks and FI's when it comes to preventing fraud.

You are also "on the mark" regarding 50 state laws. What I see FI's doing is taking a "least common denominator" approach and shoring up their security to support the most strict state laws, while complaining they need a "one law for all" from the feds.

I also like your idea to allow consumers to restrict creation of new accounts, with some form of "in-person" authentication required to make changes. This could go even further to allow consumers to restrict account creation to their state of residence, or even their city. For those that don't, and may never travel outside their country, or even state, they should be able to restrict usage of their accounts by country, state, or even city.

For example, I move around my state and neighboring states a lot, and regularly travel around the country on business, but I don't have plans to travel internationally anytime in the near future, so why should my ATM cards, credit cards, etc. be usable outside the US?

When ATM cards first came out, they were secure since they would only work in the issuing banks ATM machines. I think in many instances, consumers should be able to create similar types of geographical restrictions. For many consumers, especially those that aren't "geographically mobile", why shouldn't they be able to constrain those regions they want to be able to access their funds.

Granted, as automated fraud detection technologies gets more sophisticated, establishing usage patterns and such, a lot of this type of fraud will be detected. However, why not be able to "help out" the fraud detection, by letting the consumer provide geographic usage areas?

]]>
2006-04-20T18:24:26Z2006-04-20T18:24:26Ztag:www.schneier.com,2006:/blog//2.836-comment:54314Comment from Mike Sherwood on 2006-04-20Mike Sherwood
"How could it be done better?"

That's a fair question. I think I have some reasonable and cost effective answers.

1. Let people have some control over their account opening options.

We already have major credit bureaus as a choke point for information about people's credit history. It wouldn't be difficult to let people give input on their own credit preferences. It can be as simple as giving three basic options like open(same as now), confirm (with phone number specified, as can be done now with a fraud statement), or only allow opening accounts in person with appropriate identification. I have enough accounts for all of my needs right now, I would be willing to put up with the inconvenience of having to do something in person on the rare occaision I need to open an account.

2. Confirm that information is consistent.

Before opening new accounts, a credit report is pulled currently. If the information (name, address, etc) on the application does not match the credit report, stop the automated process. When the address doesn't match anything else, that should indicate a higher risk. If someone opens a credit card in my name and the credit card goes to my mailbox, it's much more difficult for someone to hide that fact from me, let alone use it. Since the information is available on the credit report and application, this is a quick confirmation step.

3. Authentication can be transitive.

It's not realistic for me to authenticate myself in person to a bank in New York. However, they can tell from my credit report that I have existing relationships with other major banks. Having me identify myself at my convenience at a local branch of the bank of their choosing isn't much of an imposition. Someone wouldn't even need an existing relationship with a financial institution to get their identification verified, but there would probably be a fee in that case.

I don't think a web of trust would be unworkable if you look at that in the context of current credit reporting practices. I think it would be workable if there was an easy way for me, as a customer of Chase to have Chase tell Bank of America "our customer(name, address, telephone #) would like to open an account with you." That, in combination with an application that makes sense would go a long way towards preventing most of the fraud we currently see. If nothing else, it would create an audit trail and help in modeling the risk of creating a new account.

Banks already have mechanisms to move money amongst themselves. Maybe if we had trust-bucks that you could transfer from an existing account to a new one, the same infrastructure could be used. If I transferred 1 from each of 5 accounts I have, it would suggest that it's either legit or that I've been totally compromised.

]]>
2006-04-20T17:06:26Z2006-04-20T17:06:26Ztag:www.schneier.com,2006:/blog//2.836-comment:54312Comment from Mark Earnest on 2006-04-20Mark Earnesthttp://markearnest.net
"Because they have better lobbyists than we do."

I think (while that is certainly true) it is a little more complicated than that. I really doubt Americans would be happy with the level of difficulty in obtaining credit if sane identity checks were put into place to prevent identity theft. As long as identity theft is something that primarily happens to "other people", we are not going to give up our same day credit card and mortgage approvals.

And really when you think about it, how could it be done better? Opening credit requires more data than it does now? That won't solve the problem, just make the data-sets larger all around. The best authentication method we have is biometric (human recognizing another human, not machines trying to recognize humans, that is one of the worst we have), but that requires proximity that is not realistic in a global marketplace.

You really almost either need a centrally managed identifier with a secret component (this is as close as I will ever come to suggesting a government run PKI for the masses) or you need some form of "web of trust"-like attestation system which would likely also be cumbersome and unworkable on a large scale.

]]>
2006-04-20T16:19:37Z2006-04-20T16:19:37Ztag:www.schneier.com,2006:/blog//2.836-comment:54309Comment from Mike Sherwood on 2006-04-20Mike Sherwood
They have better lobbyists because they have a consistent goal - reduce liability. That's easy to do, just defang everything that could possibly be used against you. As with all other things, companies will only comply with the laws that are cost effective.

The victims do not have a consistent goal, other than not wanting to be victims. I don't think we could get enough people to pay lobbyists to change the laws in favor of the majority. In order to make an impact, we need lawyers who are willing to take a chance on a large payoff with these companies.

I know there's nothing I can do to prevent identity theft, but I can also live with having my credit rating trashed for a while. If I were a victim of identity theft, the first thing I would do is look for lawyers who want their 40% of a large lawsuit. Class action lawsuits against deep pockets make lawyers drool. The one thing our legal system still has going for it is the juries. I think the average jury would have an easier time relating to people being screwed by companies.

]]>
2006-04-20T16:03:26Z2006-04-20T16:03:26Ztag:www.schneier.com,2006:/blog//2.836-comment:54306Comment from Bruce Schneier on 2006-04-20Bruce Schneierhttp://www.schneier.com/blog
"I still don't understand why the companies granting credit aren't held fully accountable. The companies are willing and active participants in fraud against individuals. The fraud could not be committed without the assistance of those companies."

Because they have better lobbyists than we do.

]]>
2006-04-20T15:45:10Z2006-04-20T15:45:10Ztag:www.schneier.com,2006:/blog//2.836-comment:54305Comment from Bruce Schneier on 2006-04-20Bruce Schneierhttp://www.schneier.com/blog
"It will be an improvement for Arizona, which is #1 for identity theft in the nation on a per-capita basis (according to the FTC's reports), and which has so far been unable to get an identity-theft notification bill through the legislature."

Actually, I think it won't be.

Remember the ChoicePoint story. They were forced to disclose because of the California law. Originally they were only going to disclose to California, because that's what the law said. But public pressure forced them to disclose to everyone. The Californa law benefited the citizens of Arizona.

Right now there are enough good state laws that companies are improving their security across the board. If there were a weaker federal law, then everyone would be less secure -- both residents of states with stronger laws and residents of states with no laws.

]]>
2006-04-20T15:44:11Z2006-04-20T15:44:11Ztag:www.schneier.com,2006:/blog//2.836-comment:54304Comment from Jim Lippard on 2006-04-20Jim Lippardhttp://lippard.blogspot.com/
It will be an improvement for Arizona, which is #1 for identity theft in the nation on a per-capita basis (according to the FTC's reports), and which has so far been unable to get an identity-theft notification bill through the legislature.

The passage you cite looks similar to Washington state's safe harbor (in SB 6043) where disclosure is not required if it is determined that the data is not likely to be the subject of a crime.

It may also be a slight improvement for a number of states, like Indiana (SB 503 only applies to state computers) and Georgia (SB 230 only applies to data brokers). It looks like some of the tougher ones are California (SB 1386), Texas (SB 122, must notify even if the data has not been used by a third party), Illinois (HB 1633, covers electronic and paper data, doesn't require the breach to involve a criminal purpose), and Florida (HB 481, has monetary penalties for each day/month of nondisclosure after 30 days).

]]>
2006-04-20T15:32:45Z2006-04-20T15:32:45Ztag:www.schneier.com,2006:/blog//2.836-comment:54302Comment from Swiss Connection on 2006-04-20Swiss Connection
'"The term 'breach of security' means the unauthorized acquisition of data in electronic form containing personal information that establishes a reasonable basis to conclude that there is a significant risk of identity theft to the individuals to whom the personal information relates."'

So I guess it is a reversal of onus of proof of a kind? Companies can breach, claim lack of significant risk, and somone has to sue and win in order to force the company to disclose. Since knobody knows that there has been a breach, because the company has not disclosed, that will most likely never happen!

There is another odd benefit of having 50 different state laws - it becomes so difficult to keep up with all of them that it's just more cost effective to use good security measures. Compliance is an area where companies often do the least they can. However, it's expensive to keep making small changes as the laws change to patch the known problems with the lowest common denominator solution.

]]>
2006-04-20T14:54:55Z2006-04-20T14:54:55Ztag:www.schneier.com,2006:/blog//2.836-comment:54300Comment from Mike Sherwood on 2006-04-20Mike Sherwood
I still don't understand why the companies granting credit aren't held fully accountable. The companies are willing and active participants in fraud against individuals. The fraud could not be committed without the assistance of those companies.

In most cases, it's plainly obvious that there is a problem. For example, someone applying for credit using an address that doesn't match anything on their credit report should be a cause for suspicion. It may not indicate a problem since people move and credit reports are slow to get updated. However, I would think there should be additional scrutiny for those accounts.

Data which is publicly available should not be used for authentication purposes. By publicly available, I mean that data aggregators will sell you as many names, addresses, ssn's, etc as you can afford. The only barrier to entry is cost.

The personal data only has value because companies are willing to accept it as sufficient proof of identity to help someone commit fraud. Notifying people that their data has been compromised is a feel good solution. It doesn't prevent anyone from committing fraud against the individual. It just increases the burden on the individual to request and review their credit reports more frequently.

If we want to have an impact on identity theft, there have to be consequences for the companies granting credit. An affidavit from the individual should be all that is necessary to invalidate the account in question. The burden of proving that the individual owes the company money should lie with the company. There is an obvious conflict of interest when the company is the only party with the evidence needed to prove that the individual did not open the account.

The reality of identity theft is that it's a middle class problem. The poor have no credit, so they're bad targets. The rich can afford to take the risk of a bad credit rating in the interim to fight it out with the companies. These companies know that they don't have a leg to stand on with the fraudulent accounts, but it's in their best interests to try to screw the little guy. The more affluent members of society can make things really unpleasant for the companies, so I suspect the companies are a lot more understanding of complaints by people who already have lawyers on staff.

]]>
2006-04-20T14:46:04Z2006-04-20T14:46:04Ztag:www.schneier.com,2006:/blog//2.836-comment:54299Comment from Haninah on 2006-04-20Haninah
Thanks for the great post. Also, nice cameo this morning in New Scientist:http://www.newscientisttech.com/article/dn9016-faces-in-a-crowd-offer-alternative-to-passwords.html]]>
2006-04-20T14:40:35Z2006-04-20T14:40:35Ztag:www.schneier.com,2006:/blog//2.836-comment:54296Comment from Bruce Schneier on 2006-04-20Bruce Schneierhttp://www.schneier.com/blog
"To be fair, though, there is both mention of the encryption algorithms and of key management..."

No, you're right. I meant to take that out of the essay, but forgot.

I will fix it in the essay above, right now.

]]>
2006-04-20T14:20:58Z2006-04-20T14:20:58Ztag:www.schneier.com,2006:/blog//2.836-comment:54295Comment from arl on 2006-04-20arl
I am going to disagree with the issue of poor Federal laws tend to make a mess out of everything. Once a poor law is in place the "problem is solved" and it gets harder to fix things.

We would be much better off with 50 good state laws than one bad Federal law.

New York's law ( http://assembly.state.ny.us/leg/?bn=S03492&sh=t ) is pretty good. It is quite strong in dealing with the "first initial loophole", so-so on encryption (algorithms not specified), and acceptable on key management (you lose the key, you have to notify).

One feature of the NY law that is highly desirable, is mandatory central reporting of breaches to the state government. This greatly aids in research, and assists the legislature and regulatory folks. No other state has anything like this (although NJ requires the state police to be notified, they are exempt from that state's freedom of information statute, so there may be no teeth in the requirement).

]]>
2006-04-20T14:10:23Z2006-04-20T14:10:23Ztag:www.schneier.com,2006:/blog//2.836-comment:54291Comment from Chris Walsh on 2006-04-20Chris Walsh
Nicely said, Bruce. You nail the problems with the DATA bill, at least in my opinion

To be fair, though, there is both mention of the encryption algorithms and of key management:

"4) ENCRYPTION- The term `encryption' means the protection of data in electronic form in storage or in transit using an encryption algorithm implemented within a validated cryptographic module that has been approved by the National Institute of Standards and Technology or another comparable standards body recognized by the Commission, rendering such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data. Such encryption must include appropriate management and safeguards of such keys to protect the integrity of the encryption."

You might say that "appropriate" key management leaves plenty of wiggle room, but would you not agree that mandating the use of NIST-approved algorithms is reasonable? If not, I'd be very interested in your objections.

]]>
2006-04-20T13:57:03Z2006-04-20T13:57:03Ztag:www.schneier.com,2006:/blog//2.836-comment:54290Comment from Bruce Schneier on 2006-04-20Bruce Schneierhttp://www.schneier.com/blog
"Since the current legislation seems to be either weak or harmful, is there any example legislation that we could point out as useful and point out to our Congress persons as legislation that would be good?"

]]>
2006-04-20T13:56:37Z2006-04-20T13:56:37Ztag:www.schneier.com,2006:/blog//2.836-comment:54287Comment from Steve H. on 2006-04-20Steve H.
Since the current legislation seems to be either weak or harmful, is there any example legislation that we could point out as useful and point out to our Congress persons as legislation that would be good?]]>
2006-04-20T13:50:49Z2006-04-20T13:50:49Ztag:www.schneier.com,2006:/blog//2.836-comment:54279Comment from Dragonhunter on 2006-04-20Dragonhunter
Another example of "token measures" to appease the public but that in fact, do nothing, or less than nothing, they do harm.

You just gotta love our political system...it's one of the most democratic on earth, but, because we are all selfish, we abuse it for our own ends. An if I've got more time and money to defen my end, it means your end gets left hanging....